A stealthy Python-based backdoor framework capable of long-term surveillance and credential theft has been identified targeting Windows systems.
According to research from Securonix, the malware, dubbed Deep#Door, uses an obfuscated batch script to deploy a persistent implant while bypassing traditional detection methods.
Unlike many loaders that retrieve payloads from external servers, Deep#Door embeds its malicious Python code directly within the dropper script.
This self-contained approach reduces network indicators and allows the malware to reconstruct its payload both in memory and on disk during execution.
Script-Based Loader Enables Stealth Deployment
At the core of the attack chain is a heavily obfuscated batch file that disables Windows security features before extracting the embedded Python payload. The script establishes persistence through multiple mechanisms, including startup folder entries, registry run keys and scheduled tasks.
Securonix researchers noted that this method reflects a broader shift toward script-driven intrusion techniques. By relying on native tools like PowerShell, attackers can blend malicious activity with legitimate system behavior and avoid static detection.
The loader also uses a self-referential parsing technique, reading its own contents to extract the embedded payload. This eliminates the need for additional downloads and mimics fileless execution patterns that are harder to detect through network monitoring.
Key features of the malware include:
-
Embedded Python payload reconstructed at runtime
-
Multiple persistence methods including Windows Management Instrumentation (WMI) subscriptions
-
Security controls such as Windows Defender and logging disabled
Tunneling Infrastructure Hides C2
Once deployed, the backdoor communicates with attacker infrastructure via a public TCP tunneling service. This removes the need for dedicated command-and-control (C2) servers and allows malicious traffic to blend with legitimate connections.
The implant supports several capabilities, including keylogging, screenshot capture, microphone recording and browser credential harvesting. It can also extract SSH keys and cloud authentication tokens, enabling lateral movement across enterprise environments.
Read more on backdoor implants: New FlexibleFerret Malware Chain Targets macOS With Go Backdoor
Extensive anti-analysis features further complicate detection. The malware checks for virtual machines, debugging tools and sandbox environments before activating. It also patches core Windows telemetry systems and clears event logs to limit forensic visibility.
“This design significantly reduces network-based detection opportunities and simplifies delivery into restricted environments,” Securonix researchers explained.
Persistent Access With Advanced Evasion Techniques
Deep#Door maintains access through layered persistence mechanisms and watchdog processes that restore components if removed.
Optional WMI subscriptions provide an additional stealthy foothold beyond traditional startup methods.
Beyond surveillance, the malware includes destructive capabilities such as system crashes and boot record overwrites. These features suggest it could be used for both espionage and disruption depending on attacker objectives.
The findings reflect a continued evolution in threat actor tradecraft, where modular, script-based frameworks replace traditional binaries.
By combining in-memory execution, public infrastructure and aggressive defense evasion, Deep#Door demonstrates how modern malware can operate with minimal visibility across compromised systems.
